Electronic health information and privacy

February 12, 2010

Gorbushka Market, just outside central Moscow, does a thriving trade in any electronics good you could want: mobile phones, plasma television sets, the latest DVDs, and, if you ask to see them, software peddlers will show potential clients a list of "databases".

Each contains confidential information gathered by Russian law enforcement or government agencies: anything from arrest records, personal addresses, passport numbers, phone records or address books to bank account details, known associates, tax data and flight records are on offer.

The confidential information is a goldmine for criminals, spies and journalists -- but most of all for the the police and bureaucrats that sell the information to computer hackers, who mass produce the CDs and sell them openly through vendors in electronics markets or online.

Elena Lukyanova a law professor at Moscow State University, said that some legislation in Russia, such as a 2004 law requiring political parties to disclose membership lists, violated constitutional protections on information disclosure and privacy

“This was done to control the opposition,” she said. “If there are violations of the constitution like this, at the level of legislation, we should not be surprised that laws get violated and these black market databases are out there.”

February 05, 2010

B.C.'s privacy commissioner has launched his own investigation into how sensitive information from 1,400 income-assistance clients ended up at the home of a government employee.

Loukidelis said he's "pretty darn skeptical" the man had clearance to take such information from government offices, although he acknowledged case workers, particularly in the children's ministry, are sometimes given such permission.

The RCMP discovered the security breach during the course of an unrelated investigation in November, the B.C. government has said. The province has so far refused to disclose the nature of that investigation. However, it has sent apology letters to the 1,400 affected people and placed a security flag on their medical service plans.

The information that was removed included spreadsheets full of names, addresses, birth dates, social insurance numbers, personal health card numbers and monthly income-assistance eligibility amounts.

Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.

Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.

Selling ­— or even giving away — such information would violate federal patient-privacy laws and could result in fines and prison time.

UMC is the area’s only level one trauma center, so it draws the majority of Clark County’s seriously injured traffic accident victims. Learning the names of and personal information about these patients would be a boon for personal injury attorneys on the prowl for clients who could win payouts from insurance companies.

The discovery of 19 patient files from a temporary flu assessment clinic on a downtown city street in November reinforces the need for stricter security over such records, say two retired registered nurses from Corner Brook.

The incident which happened Nov. 6 involved a medical staff member walking home from the clinic. The staff member accidentally lost the records of 19 people who had visited the flu assessment clinic set up at the former Regina High School building earlier that day. The records were found on the sidewalk by a passerby who brought them to The Western Star.

In response to the story published in the Nov. 10 edition of The Western Star, Western Health stated it was common for medical staff to sometimes take records home with them. Nurses Deckert and Lee also took exception to that practice.

“Neither of these methods provides the declared privacy and confidentiality to which a patient is entitled,” Deckert and Lee said in a prepared statement to The Western Star.

Everyone across London will be given the chance to opt out of having a summary care record created.

Director of The Patients Association, Katherine Murphy, said the system had "great potential for making care safer". But she added: "We have heard from patients who have found it is being made increasingly difficult to opt out.”

DNA profiles belonging to thousands of people who have paid up to £600 for internet genetic tests are to be transferred to a new organisation, after deCODE Genetics filed for chapter 11 bankruptcy in a US court.

The genetic records of its customers will now be held by Saga Investments, a venture capital group that has agreed to buy deCODE's core science operations, including its deCODEme personalised genetic testing service.

Kari Stefansson, deCODE's chief executive, told The Times that ownership of genetic data remained with the company's customers and that Saga would be bound by a privacy policy that prevents disclosure of data to third parties such as insurers, employers or doctors.

Industry experts said that Saga would want to maximise returns on its investment, and could still make wider use of data that some subscribers may find uncomfortable.

Dan Vorhaus, a lawyer with the US firm Robinson, Bradshaw and Hinson, which specialises in genomics, said that while the new management would be bound by deCODE's customer agreements, these were often unclear and contradictory.

The attorney general is also seeking additional identity theft protection for affected doctors, therapists, and other professionals, according to a statement from the attorney general.

The companies lost the information when a laptop was stolen Aug. 25. The computer held information on the companies' providers nationwide, including names, addresses, tax identification and provider numbers, and some Social Security numbers.

"Failing to promptly notify providers of the breach is inexcusable -- and a possible violation of state law. Waiting two months left providers severely at risk -- needlessly and irresponsibly exposing them to financial mayhem", said Blumenthal.

February 04, 2010

Details about a U.S. Secret Service safe house for the First Family – to be used in a national emergency – were found to have leaked out on a LimeWire file-sharing network recently, members of the House Oversight and Government Reform Committee were told this July 29.

Also unearthed on LimeWire networks were presidential motorcade routes and a sensitive but unclassified document listing details on every nuclear facility in the country, Robert Boback, CEO of Tiversa Inc. told committee members.

Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 patients at a health care system, as well as FBI files, including surveillance photos of an alleged Mafia hit man that were leaked while he was on trial.

The leaks typically occur when a user installs a P2P client such as Kazaa, LimeWire, BearShare, Morpheus or FastTrack on a computer for the purposes of sharing music and other files with others on the network.

They said that the continued failure by companies such as LimeWire to take more proactive steps to stop inadvertent file-sharing is tantamount to enabling illegal activity resulting from the data leaks.

A confidential memo from one of the most secretive panels in Congress was leaked on a peer-to-peer file-sharing network, publicly detailing sensitive probes involving more than 30 lawmakers and aides.

The 22-page report was freely available on an unnamed file-sharing network after a junior staff member working from home stored it on a computer equipped with P2P software, according to a statement. The employee no longer works for the committee.

Legislators have grown so worried about inadvertent leaking of documents over P2P networks they've considered draconian bills that could render entire web browsers and operating systems illegal.